Virus and Spyware Removal Guides, uninstall instructions

What is Browser-Security?

While investigating sites that use rogue advertising networks, our researchers found one endorsing the Browser-Security browser extension.

After inspecting it, we determined that this piece of software operates as a browser hijacker. Browser-Security makes changes to browser settings in order to promote the browser-security.xyz fake search engine. Additionally, this extension spies on users' browsing activity.

What kind of malware is KoRyA?

KoRyA is the name of ransomware belonging to the Xorist family. Our malware researchers discovered KoRyA while examining samples submitted to VirusTotal. We learned that KoRyA encrypts data, appends the ".KoRyA" extension to filenames, changes the desktop wallpaper, creates the "HOW TO DECRYPT FILES.txt" file, and displays an error message.

KoRyA's desktop wallpaper, text file, and error message contain a ransom note. An example of how KoRyA modifies filenames: it renames "1.jpg" to "1.jpg.KoRyA", "2.png" to "2.png.KoRyA", and so forth.

What is Bettercallsaul ransomware?

Bettercallsaul is a ransomware-type program that our researcher team discovered while inspecting new submissions to VirusTotal.

After being executed on our test machine, this malicious program encrypted files and appended their names with a ".bettercallsaul" extension. To elaborate, a filename such as "1.jpg" appeared as "1.jpg.bettercallsaul", "2.png" as "2.png.bettercallsaul", and so on.

Following the process' completion, Bettercallsaul created ransom notes in the form of a new desktop wallpaper and text file ("DECRYPT_MY_FILES.txt").

What kind of malware is Zouu?

While examining malware dubbed Zouu, we found that it is ransomware that encrypts files and appends the ".zouu" extension to filenames. Also, Zouu creates the "_readme.txt" file (a ransom note). An example of how Zouu renames files: it changes "1.jpg" to "1.jpg.zouu", "2.png" to "2.png.zouu", and so forth.

We also learned that Zouu belongs to the Djvu ransomware family. Cybercriminals have been observed distributing ransomware belonging to this family alongside information stealers like Vidar and RedLine.

What kind of email is "Unknown Browser Login"?

Our inspection of the "Unknown Browser Login" email revealed that it is spam operating as a phishing scam. It is presented as an email account security notification alerting the recipient that there has been a suspicious log-in. This spam mail aims to extract users' email account passwords through a fake sign-in page.

What is IPTV Player?

We have examined the IPTV Player application and found that it is an advertising-supported browser extension that shows intrusive advertisements. In most cases, users install (or add) adware inadvertently since it is often promoted and distributed using questionable methods. Our team discovered IPTV Player on a shady web page.

What is MajorLetterSearch?

After installing a fake Adobe Flash Player setup on our test system, we discovered the MajorLetterSearch application. It operates as advertising-supported software (adware), i.e., delivers intrusive ad campaigns. Additionally, we determined that MajorLetterSearch is part of the AdLoad malware family.

What kind of application is ExtendedTech?

While testing the ExtendedTech application, our team discovered that it displays intrusive advertisements. Therefore, we classified this app as adware. It is common for adware to be promoted and distributed using questionable (often deceptive) methods. Thus, users often download and install it inadvertently.

What kind of malware is Mao?

While inspecting malware samples submitted to the VirusTotal website, we discovered a ransomware variant belonging to the Dharma family dubbed Mao. We found that Mao encrypts files and appends the victim's ID, sony.mao@techmail.info email address, and ".mao" extension to filenames.

Also, Mao displays a pop-up window and drops the "info.txt" file (provides two ransom notes). An example of how Mao modifies filenames: it renames "1.jpg" to "1.jpg.id-9ECFA84E.[sony.mao@techmail.info].mao", "2.png" to "2.png.id-9ECFA84E.[sony.mao@techmail.info].mao", and so forth.

What kind of malware is Zoqw?

While checking the VirusTotal page for recently submitted malware samples, our team discovered ransomware belonging to the Djvu family dubbed Zoqw. This malware encrypts files, appends the ".zoqw" extension to filenames, and drops the "_readme.txt" file containing a ransom note.

An example of how Zoqw modifies filenames: it renames "1.jpg" to "1.jpg.zoqw", "2.png" to "2.png.zoqw", and so forth. It is likely that cybercriminals distribute Zoqw alongside information stealers such as Vidar or RedLine.